Transformer SDK For C  6.2.11.309924
Configuration: SSL

The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmission on the Internet, and offers a greater level of protection than standard HTTP transmission.

DataSource is capable of communicating with its peers over SSL, providing an encrypted channel over which the data sources can publish their data.

Making an SSL Connection

SSL certificates can be configured at either or both client and server ends of the channel - DataSource is said to be operating in server mode when requesting information and in client mode when receiving information.

Server mode only configuration

To configure DataSource for SSL when in server mode, use the datasrc-sslport option to select the network port to listen for SSL connections from DataSource peers.

It is possible for DataSource to accept both SSL and non-SSL connections on different ports. Non-SSL connections should be configured using the datasrc-port option.

Client mode only configuration

To configure DataSource for SSL when in client mode, use the ssl option in the add-peer entry for the DataSource peer that acts as server.

Note: There is no failback to non-SSL operation should the SSL connection fail to be established.

Server and client mode configuration

To configure DataSource for SSL at both client and server ends of the channel, use the start-ssl group. This group is needed in the configuration file of both client and server applications.

Configuring hardware devices

OpenSSL has built-in support for cryptographic acceleration. In newer versions of OpenSSL (versions of 0.9.6 that include the name engine in the version) an application can get a reference to a specific representation, often a hardware device. These representations are referred to as Engines.

These following configuration options are set by editing the ssl-engine-id and ssl-engine-flags configuration options.

datasrc-ssl-enable

Type: Boolean
Default: FALSE

SSL enable SSL

datasrc-ssl-port

Type: Integer
Default: 0

SSL port

datasrc-ssl-certificate

Type: String
Default: None

DataSource Server certificate

datasrc-ssl-passwordfile

Type: String
Default: None

file containing the password for the private key

datasrc-ssl-privatekey

Type: String
Default: None

private key file for the certificate

datasrc-ssl-cipherlist

Type: String
Default: None

optional list of ciphers to use

datasrc-ssl-ssloptions

Type: Integer
Default: 16777216
Acceptable Values:

NameValueDesc
SSL_OP_ALL-2147483648
SSL_OP_NO_SSLv216777216
SSL_OP_NO_SSLv333554432
SSL_OP_NO_TLSv167108864
SSL_OP_NO_TLSv1_2134217728
SSL_OP_NO_TLSv1_1268435456
SSL_OP_NO_DTLSv167108864
SSL_OP_NO_DTLSv1_2134217728

optional list of SSL options to use

ssl-debug

Type: Boolean
Default: FALSE

Enables SSL connection negotiation debugging.

ssl-random-seed

Type: Function
Default: None

Configures the seeding of the OpenSSL random number generator, which Caplin Liberator uses for session IDs and HTTPS and DataSource SSL connections.

The parameters for this option are:

Name
Description
type
Type of random number generation. Must be one of the following:

builtin This takes no arguments and uses various system commands to produce random output.
file Uses the data in the file to seed the random number generator.
exec Uses the output of the command to seed the random number generator.
arg1
If type is file, this is a filename (relative to the root directory).<br

If type is exec, this is a command (relative to the root directory)
arg2
If type is file, this specifies how many bytes of the file to use.
If type if exec, thisspecifies how many bytes of the output to use.

Examples:

ssl-random-seed builtin
ssl-random-seed file etc/randomdata
ssl-random-seed file etc/randomdata 1024
ssl-random-seed exec etc/random.sh
ssl-random-seed exec etc/random.sh 512
Note
On Linux OpenSSL is seeded by a hardware device so using ssl-randomseed may be unnecessary.

ssl-engine-id

Type: String
Default: None

This option configures the SSL hardware or software engine to support. The available engines are listed in the table below:

ssl-engine-id option Engine
openssl
The engine uses the normal built-in software functions (this is the default)
openbsd_dev_crypto On OpenBSD, this engine will use the kernel level cryptography built into the OS.
aep Uses the Aep acceleration hardware
atalla Uses the Compaq Atalla acceleration hardware
chil Uses the nCipher CHIL acceleration hardware
cswift Uses the CryptoSwift acceleration hardware
nuron Uses the Nuron acceleration hardware
ubsec Uses the Broadcom uBSec acceleration hardware
sureware Uses the SureWare acceleration hardware

ssl-engine-flags

Type: String
Default: all

This option affects the flags passed to the engine implementation.

The flags in the table below may be ORed together using the "|" operator to represent multiple flags: for example "dsa|rsa" equates to using only DSA and RSA operations

Flag Description
dh Limit engine usage to only DH operations
dsa Limit engine usage to only DSA operations
rand Limit engine usage to only random operations
rsa Limit engine usage to only RSA operations
all Allow OpenSSL to use any of the above implementations

ssl-config-name

Type: String
Default: None

The OpenSSL config name to load (default=system default)


Generated on Sat Aug 26 2017 12:36:32 for Transformer SDK For C